Support Center > Search Results > SecureKnowledge Details
ATRG: CloudGuard Controller Technical Level

Table of Contents

  • Overview
  • Troubleshooting
  • Debugging
  • Recommended Articles
Show All in this article


Show / Hide this section
The CloudGuard cloud security solution delivers advanced threat protection to private or public cloud infrastructures. It controls and manages the security in both the physical and virtual environments with one unified management solution. With trusted APIs, the CloudGuard Controller connects to the Software-Defined Data Center (SDDC) and integrates the virtual cloud environment with Check Point Security Gateways. The CloudGuard Controller automatically updates the security policy on security logs. It updates GUI, API, and security logs with new and changed appliances, computers, devices, and addresses.

Check Point Security Gateways run on virtual machines. Deploy the gateway in the public and private cloud for perimeter and lateral protection, and industry-leading advanced threat prevention security. The CloudGuard Gateways integrate seamlessly with SDN solutions, such as VMware vCenter, VMware NSX, Cisco ACI and Cisco ISE.

The CloudGuard Controller integrates with these virtual cloud environments:

  • Amazon Web Services (AWS) 
  • Microsoft Azure 
  • Cisco ACI 
  • Cisco ISE 
  • Google Cloud Platform (GCP) 
  • Nuage Networks VSP 
  • OpenStack 
  • VMware vCenter 
  • VMware NSX

Refer to CloudGuard Controller R80.20 Administration Guide

High Level Components

  • Data Center - Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data.
  • Scanner - Polls objects from the Data Center periodically. One scanner for each Data Center
  • Enforcement - Updates Data Center objects used in the security policy on the gateways.
  • Auto-update - Updates Data Center objects imported on the Management server.

Workflow for Deploying CloudGuard Controller

The CloudGuard Controller is a component of the R80.20 Security Management Server. Make sure you have the most up to date CloudGuard Controller. The steps below may be necessary to enable the CloudGuard Controller to communicate with your Data Center.

  • Step 1: Install or upgrade to R80.20 that includes the CloudGuard Controller.
  • Step 2: Run the cloudguard on command on the Management Server.
  • Step 3: Activate the Identity Awareness Software Blade on each gateway, on which you want to deploy Data Center objects. 
  • Step 4: Integrate with Data Centers.

Support for Data Center Objects on the gateway

Gateway requirements
  • R77.20 and R77.30 gateways
    • Enforcer hotfix required. (sk111963)
    • Included in a later version of R77.30 JHF 309 and above
  • R80.10 and above gateways
    • Included in standard image.
Activating Identity Awareness for an R80.10 and above Gateway

Updating Data Center Objects on the gateway

On the Security Management:

  • The $FWDIR/conf/vsec_controller_targets_data.set file gets updated or created with mapping of each gateway and its DataCenter Objects (not with the IP addresses). (Note: The file is created/updated during Install Policy.)
  • The Security Management generates a /tmp/ file, and it is pushed down to the gateway with Data Center Objects. This file is pushed to the gateway using CPRID.
  • /tmp/ is a curl command to localhost with a JSON formatted payload that adds the identities to the Identity Awareness process.
    /tmp/ file output
  • The Security Management remotely executes the /tmp/ script with the Identity Awareness secret key using CPRID
  • The learned DataCenter identities are added as PDP identities. This can be viewed by running pdp m a
    Identity Awareness output pdp m a


Show / Hide this section

Confirming CloudGuard Controller is running

Check to see the status of the CloudGuard Controller:
  1. Run cloudguard

For additional troubleshooting scenarios, refer to the "CloudGuard Controller Troubleshooting" section in the CloudGuard Controller R80.20 Administration Guide


Show / Hide this section

Logs and debugs for Data Center Object creation

  • Log files on Security Management 
    (For MDS: $MDS_FWDIR)
    • $FWDIR/log/cpm.elg 
    • $FWDIR/log/cloud_proxy.elg
  • Debugs
    • Debug values $VSECDIR/lib/ Set to TRACE
      Select from the following as relevant to your scanner
    • CPM debugs for object creation failures (sk110913)

Example of a failure for Data Center Object Creation or Importing

When creating a Data Center Object and authentication fails, you can see the authentication failure in the cloud_proxy log. The debug value was used to TRACE

Cloud_proxy log


09/05/18 17:44:37,817 TRACE cms_proxy.Process.ProcessExecutor [qtp258411693-28]: Executing: [/opt/CPsuite-R80/fw1/Python/bin/python, /opt/CPvsec-R80/scripts/azure/, --max-time, 60, -t]
09/05/18 17:44:37,822 TRACE cms_proxy.Process.ProcessExecutor [qtp258411693-28]: Running process with time out of: 300 seconds
09/05/18 17:44:38,429 TRACE cms_proxy.Process.ProcessExecutor [pool-18-thread-1]: Process finished (callable)
09/05/18 17:44:38,430 ERROR [qtp258411693-28]: Command failed:
ProcessBuilder= [/opt/CPsuite-R80/fw1/Python/bin/python, /opt/CPvsec-R80/scripts/azure/, --max-time, 60, -t]
errCode= 1
processTimeoutSeconds= 300
processDurationSeconds= 0
Process Output String= AuthenticationProblem

Logs and debugs for enforcement on the gateway

  • Log files on Security Management
    (For MDS: $MDS_FWDIR)
    • $FWDIR/log/cloud_proxy.elg
    • $FWDIR/conf/cpm.elg
    • $FWDIR/conf/vsec_controller_targets_data.set
  • Log files on Gateway
    • $FWDIR/log/CPRID.elg
    • $FWDIR/log/pdp.elg*
    • /tmp/
  • Debugs on management
    • Debug values $VSECDIR/lib/ Set to TRACE
    • Debug CPRID on Security Management and Gateway
  • Debugs on gateway
    • Command output of pdp m a
    • Debug PDP on the gateway (sk86441)

    Cloud Guard Controller Advanced debugs

    Debugging Connectivity issue to the Cloud Provider:

    • Azure: curl_cli --verbose --cacert /var/opt/CPshrd-R80/conf/ca-bundle-public-cloud.crt
    • AWS: curl_cli
    Additional debug levels

    Define python in the environment:
    1. According to the relevant Data Center type run: grep python $VSECDIR/scripts/<aws | azure | google>/
    2. For output: #!/usr/bin/env python3
      • export python=$FWDIR/Python/bin/python3
    3. For output: #!/usr/bin/env python
      • export python=$FWDIR/Python/bin/python
    R80.40 and higher:


    AWS_API_DEBUG=true AWS_ACCESS_KEY=<access key> AWS_SECRET_KEY=<secret key> $FWDIR/Python/bin/python3 $VSECDIR/scripts/aws/ <region code>

    export GCP_CREDENTIALS=$(cat <PATH_TO_GCP_CREDENTIALS_JSON_FILE>); GCP_DEBUG=true $FWDIR/Python/bin/python3 $VSECDIR/scripts/google/ __ALL__ 

    AZURE_REST_DEBUG=true AZURE_CREDENTIALS='{"client_id": "<client id>","client_secret": "<client secret>","grant_type": "client_credentials","tenant": "<tenant>"}' $FWDIR/Python/bin/python3 $VSECDIR/scripts/azure/

    Note: The Azure Credentials can also be written in a file with the same format as above:
    AZURE_REST_DEBUG=true AZURE_CREDENTIALS=creds.json $FWDIR/Python/bin/python3 $VSECDIR/scripts/azure/

    R80.30 and below:


    AWS_API_DEBUG=true AWS_ACCESS_KEY=<access key> AWS_SECRET_KEY=<secret key> python $VSECDIR/scripts/aws/ <region code>

    export GCP_CREDENTIALS=$(cat <PATH_TO_GCP_CREDENTIALS_JSON_FILE>); GCP_DEBUG=true python $VSECDIR/scripts/google/ __ALL__ 

    AZURE_REST_DEBUG=true AZURE_CREDENTIALS='{"client_id": "<client id>","client_secret": "<client secret>","grant_type": "client_credentials","tenant": "<tenant>"}' python $VSECDIR/scripts/azure/

    Note: The Azure Credentials can also be written in a file with the same format as above:
    AZURE_REST_DEBUG=true AZURE_CREDENTIALS=creds.json python $VSECDIR/scripts/azure/

    Testing CPRID
    • Check to see if cprid port 18208 is allowed between Security Management and gateway
      Verify that cprid_util -server GW_IP getenv -attr FWDIR gets output
    • How to remotely execute on a gateway
      cprid_util -server -timeout 120 -verbose rexec -rcmd bash /tmp/
    PDP controller debug steps:
    1. Remove the existing old files:
      # mkdir $FWDIR/log/pdpLog/
      # mv $FWDIR/log/pdpd.elg* $FWDIR/log/pdpLog/
    2. Clean the logs rotation: # pdp d rotate
    3. Revoke the Security Group association from pdpd (The used pdp m command):
      # pdp control revoke_ip
      * The Security Group will not appear under the pdp m command until it is re-associated.
    4. Start debug:
      # echo “=======> start debug `date` ” >> $FWDIR/log/pdpd.elg
      # pdp debug on
      # pdp d s all all
    5. Replicate the issue (if possible). 
    6. Stop the debug:
      # pdp d unset all all
      # pdp d off
      # echo “=======> stop debug `date` ” >> $FWDIR/log/pdpd.elg
    7. Collect the following files and share them with Support: # $FWDIR/log/pdpd.elg*

      Give us Feedback
      Please rate this document